AWS Security Blog

New Playground App to Explore Web Identity Federation with Amazon, Facebook, and Google

In May 2013, we announced support for federation using identities Amazon, Facebook, and Google (a.k.a. web identity federation), which allows your apps to authenticate users via Amazon, Facebook, or Google and then access AWS resources managed under your account.

To help you understand how web identity federation works, today we’re releasing the Web Identity Federation Playground. This is an interactive web page that lets you explore the three key steps of web identity federation.  First, you sign in with Amazon, Facebook, or Google.  Next, you make an AWS request to obtain temporary security credentials.  Lastly, you use those temporary security credentials to access an AWS resource (AWS S3 in this case). In addition, the Playground is entirely self-contained (no need to use the AWS CLI, SDKs, or Management Console) so you can try it out without writing any code!

In this blog post, we’ll walk through the steps of using the Web Identity Federation Playground.

Step 1

Start by choosing one of the three supported identity providers. Note that you’ll need to have a pre-existing identity with the provider that you choose.

Screenshot of three identity providers to choose from

You’ll be prompted to sign in to the identity provider you selected.

Screenshot of the identity provider sign-in page

After you sign in, you see the response from the identity provider, including a web identity token.

Step 2

Exchange that web identity token received from the identity provider for AWS temporary security credentials. The Playground gets temporary security credentials by calling the STS:AssumeRoleWithWebIdentity API, passing in the web identity token as a parameter. You can see the parameters it’s passing when it calls AssumeRoleWithWebIdentity, as well as the response.  To learn more about temporary security credentials, refer to our documentation.

Screenshot of obtaining temporary security credentials

Step 3

Finally, you’ll access AWS resources (in the “Action” drop-down, you can choose S3:ListBucket or S3:GetObject). The Playground takes the temporary security credentials it received in Step 2 and uses them to make a request to S3. Note that whichever action you choose, you’re looking into an AWS-owned S3 bucket that we created for this Playground, not a bucket that belongs to you.

Screenshot of accessing AWS resources

On the right side, you can see the response from S3 immediately: either a list of objects in an S3 bucket (ListBucket) or the contents of a .txt file stored in S3 (GetObject). The screenshot below shows the response from GetObject.

Screenshot showing response from GetObject

If you want to dive deeper, go ahead and take a look at our code—the Web Identity Federation Playground is written entirely in JavaScript and HTML, so you can view the page source and see how the Playground is implemented.

Kai Zhao
Product Manager, AWS Identity and Access Management